000038104 - What is the network encryption method of RSA NetWitness Platform and how to change the cipher of it?

Document created by RSA Customer Support Employee on Nov 6, 2019Last modified by RSA Customer Support Employee on Dec 19, 2019
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000038104
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Admin Appliance, Core Appliance
RSA Version/Condition: 11.x
Issue

In RSA NetWitness Platform 11.x, what is the network encryption method used on individual port? And how to choose or restrict the cipher?

Resolution

Network encryption method



Administrators can click the ports on and off to support only SSL, only non-SSL, or both.
But Reporting engine service has only non-SSL port 51113.




Encryption cipher configuration and How to choose or restrict the cipher suites?



Web server: 


It is configured at /etc/nginx/conf.d/nginx.conf on Admin server.



  1. SSH to Admin server 
  2. Open /etc/nginx/conf.d/nginx.conf and edit following lines.

        ssl_ciphers "AESGCM:-aNULL:-DH:-kRSA:@STRENGTH";  

  3. Restart ngnix service using below command 


    service nginx restart



The followings are examples.
Output with ssl_ciphers "AESGCM:-aNULL:-DH:-kRSA:@STRENGTH";




Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.2
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


To restrict AES128, change it to ssl_ciphers "AESGCM:-aNULL:-DH:-kRSA:!AES128:@STRENGTH"; 




Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.2
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 


Note: ngnix.conf will be reverted when user perform below operations.



orchestration-cli-client --update-admin-node
Save and Apply configuration on "WebUI [ADMIN]-[System]". 



Editing the cipher under "/var/netwitness/config-management/cookbooks/nw-nginx/templates/default/nw-ui.conf.erb" should retain the changes when user performs above operations.
These changes will still revert when user does upgrade or update.


Core services: 


It is configured at Admin-Services-'The service which uses the ssl port'-Explore, /sys/config/ssl.cipher.list 
Default value is '-ALL:!aNULL:HIGH' or '-ALL:!aNULL:!DES:!3DES:HIGH'.
For example, to disable DES and 3DES ciphers add '!DES:!3DES' to the field.

For more information, please refer to the openssl ciphers manual page: https://www.openssl.org/docs/man1.0.2/man1/ciphers.html




Default encryption cipher



When a client asks a server, server will select cipher suites from the list which is provided from the client.
And you can check the ordered default cipher preference list by following the command line.




# openssl ciphers -v 'DEFAULT'



How does VLC secure the logs and forward out in detail?



Same with log collector. encrypted SSL port 56001
Between LC and each event source, each protocol has own encryption method. Refer to the 'Log Collector Service' in the Network Encryption
NetWitness Network Encryption: https://community.rsa.com/docs/DOC-105911




Note: About any encryption on log files stored on the local disk, there is no filesystem level encryption, only transport level encryption.



Public Key length (size)



NetWitness 11.x uses 2048 bit or 4096 bit of Public-Key




Customer provided Certificate



To replace the internally generated web server certificate with a customer issued certificate.
Security Configuration Guide for NetWitness Platform Version 11.2: https://community.rsa.com/docs/DOC-96728



    Appendix A: Customer Provided Certificates


System Security and User Management Guide for RSA NetWitness® Platform 11.3: https://community.rsa.com/docs/DOC-101138



    (Optional) Use a Custom Server Certificate

Attachments

    Outcomes